Bafin seeks public comment on the 9th amendment to the MaRisk
Written by
EU RegCORE Client Alert | German Regulatory Developments
QuickTake
On 1 April 2026, the Federal Financial Supervisory Authority (Bundesanstalt für Finanzdientsleistungsaufsicht - Bafin)The abbreviation for the Federal Financial Supervisory Authority is now written with a lowercase ‘f’.Show Footnote published the draft of the 9th amendment to the “Minimum Requirements for Risk Management (MaRisk)”Comparison version | Draft for ConsultationShow Footnote for consultation. According to the draft, the MaRisk are to be fundamentally revised.
The revised version is intended to significantly reduce the complexity of regulatory requirements. Furthermore, a new transparent classification of small and very small institutions is intended to simplify the proportional gradation of the applicable requirements in future.
Furthermore, as part of this process, BaFin is also implementing the guidelines on environmental scenario analysis (EBA/GL/2025/04), as well as the guidelines on internal governance (EBA/GL/2021/05).
Key Takeaways
Reducing complexity
As part of the consultation, there is a noticeable new focus on individual risk assessment in accordance with the principle of proportionality. For example, in the case of very small institutions, approval from the front and back offices may be dispensed with if senior management is directly involved in the granting of risk-relevant loans and this ensures that lending activities are handled properly and in a manner appropriate to the existing risks.MaRisk Consultation BTO 1.1 Separation of powers and voting (Funktionstrennung und Votierung), Page 42, Rn. 1.Show Footnote In non-risk-relevant lending business, financial institutions may generally benefit from relief (e.g. in conducting sensitivity analyses), provided that risks are assessed appropriately and consumer protection requirements are met.MaRisk Consultation BTO 1.2.1 Provision of credit (Kreditvergabe), Page 48 ff, Rn. 1.Show Footnote Furthermore, very small institutions may dispense with risk-type-specific stress tests if the overall stress test risk profile negatively impacts all material risks, and for small institutions, a severe economic downturn is sufficient as a bank-wide scenario; further scenarios are not required.MaRisk Consultation AT 4.3.3 Stress tests (Stresstests), Page 21, Rn. 2-4.Show Footnote
Redundant content and provisions already regulated by law are also removed to make MaRisk more streamlined and clearer.
Facilitating proportional differentiation
For setting regulatory requirements, institutions are divided into three size categories:
- Very small institutions (total assets up to €1 billion):
Very small institutions are institutions, factoring institutions and CRDCapital Requirements Directive (EU) 2013/36.Show Footnote third-country branches that do not exceed a balance sheet total of €1 billion on a four-year average (Factoring institutions are, in addition, only considered very small if the annual volume of receivables purchased does not exceed €5 billion on a four-year average.) - Small and Non-complex Institutions (SNCIs) (up to €5 billion total assets):
Small institutions are those referred to in Article 4(1) (145) of the Capital Requirements Regulation (Regulation (EU) No 575/2013 – CRR) as well as third-country branches of risk class 2 under the CRD).MaRisk Consultation AT 1 Purpose of the letter (Ziel des Rundschreibens), Page. 8, Rn. 3.Show Footnote - Less Significant Institutions (LSIs)
This approach sets out fixed thresholds that enable clear classification and reduces the regulatory burden on smaller and less significant institutions, as the above examples regarding credit risk analysis and stress tests demonstrate.MaRisk Consultation BTO 1.1 Separation of powers and voting (Funktionstrennung und Votierung), Page 42, Rn. 1, BTO 1.2.1 Provision of credit (Kreditvergabe), Page 48 ff, Rn. 1.Show Footnote This is likely to lead to a significant reduction in the burden of implementing regulatory requirements. The result is a stronger focus on the individual risks of the institutions.
Furthermore, MaRisk will not be applicable to significant institutions (SIs) in order to avoid double regulation. SIs remain under the direct supervision of the European Central Bank.
Adjustment of the exemption clauses
As additional requirements regarding the exemption clauses have largely been removed, the exemption clauses for small and very small institutions, enabling them to claim relief or exemptions from MaRisk requirements, are now easier to apply.
For example, previously, in the case of the functional separation of the front-office and back-office areas in the lending business, the requirements for waiving the separation were a credit volume of no more than €100 million, the presence of only two senior managers, and a simple structure of the lending business.MaRisk Consultation (Comparison version) BTO 1.1 Separation of powers and voting (Funktionstrennung und Votierung), Page 76 ff., Rn. 1, on the right.Show Footnote Under the new version, it is now sufficient for small institutions with up to three senior managers to generally have an organizational separation between risk control and the market division for ‘non-risk-relevant’ lending business, provided there are no conflicts of interest.MaRisk Consultation BTO 1.1 Separation of powers and voting (Funktionstrennung und Votierung), Page 42, Rn.1.Show Footnote
Another example is the change from a rigid requirement for an annual review of the procedures for valuing collateral in the lending business (“must be reviewed annually”)MaRisk Consultation (Comparison version) BTO 1.2 Requirements for credit business processes (Anforderungen an die Prozesse im Kreditgeschäft), Page 84, Rn. 2.Show Footnote to a more flexible version that now only requires a certain degree of regularity (“The procedures for valuing collateral must be reviewed regularly, at least every two years for small institutions.”).MaRisk Consultation BTO 1.2 Requirements for credit business processes (Anforderungen an die Prozesse im Kreditgeschäft), Page 46, Rn. 2, on the left.Show Footnote
With regard to stress tests, very small institutions may dispense with risk-specific stress tests, provided that all material risks are negatively affected in the stress test for the overall risk profile.MaRisk Consultation AT 4.3.3 Stress tests (Stresstests), Page 21, Rn. 2.Show Footnote For small institutions, a severe economic downturn (or a comparable stagflation scenario) is generally sufficient as a bank-wide scenario, provided that all material risks are negatively impacted therein.MaRisk Consultation AT 4.3.3 Stress tests (Stresstests), Page 21 f., Rn. 3.Show Footnote
Implementation of the Guideline on Environmental Scenario Analysis (EBA/GL/2025/04)Guidelines on environmental scenario analysis_DE_COR.pdf; Vgl. MaRisk Consultation AT 1 Purpose of the circular (Ziel des Rundschreibens), EBA-Guideline (EBA-Leitlinen), Page 7, Rn. 2.Show Footnote
Furthermore, the Guideline on Environmental Scenario Analysis is being implemented in line with the current version of MaRisk. According to this, from 1 January 2027 financial institutions are obliged to systematically take climate-related risks into account in their risk diversification. To this end, institutions are required to develop ‘what-if’ scenarios regarding the resilience of their business models across various time horizons in order to identify risks at an early stage.
Implementation of the Guidelines on Internal Governance (EBA/GL/2021/05)Guidelines on internal governance under CRD_DE - updated.docx; Vgl. MaRisk Consultation AT 1 Purpose of the circular (Ziel des Rundschreibens), EBA-Guideline (EBA-Leitlinien), Page 7, Rn. 2.Show Footnote
In addition, the Guidelines on Internal Governance, which are currently only available as a consultation draft, are also included. These dictate comprehensive internal rules, processes and mechanisms to ensure effective and prudent management.
Note: Sections from the above-mentioned EBA guidelines need only be observed in addition to the requirements of MaRisk if MaRisk refers to these sections. Otherwise, the EBA guidelines are deemed to have been fully implemented in MaRisk.
Outlook and next steps
It remains to be seen which changes will actually take effect by the time MaRisk is finalized. Nevertheless, it is already clear that the trend is moving away from rigid regulatory over-regulation toward greater flexibility and a stronger focus on proportional—and thus more individualized—risk assessment.
Comments on the draft may be submitted to Bafin and the Deutsche Bundesbank by May 8, 2026.
About us
PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from relevant related developments. We have assembled a multi-disciplinary and multijurisdictional team of sector experts to support clients navigate challenges and seize opportunities as well as to proactively engage with their market stakeholders and regulators.
Moreover, we have developed a number of RegTech and SupTech tools for supervised firms, including PwC Legal’s Rule Scanner tool, backed by a trusted set of managed solutions from PwC Legal Business Solutions, allowing for horizon scanning and risk mapping of all legislative and regulatory developments as well as sanctions and fines from more than 2,500 legislative and regulatory policymakers and other industry voices in over 170 jurisdictions impacting financial services firms and their business.
Equally, in leveraging our Rule Scanner technology, we offer a further solution for clients to digitise financial services firms’ relevant internal policies and procedures, create a comprehensive documentation inventory with an established documentation hierarchy and embedded glossary that has version control over a defined backward plus forward looking timeline to be able to ensure changes in one policy are carried through over to other policy and procedure documents, critical path dependencies are mapped and legislative and regulatory developments are flagged where these may require actions to be taken in such policies and procedures.
The PwC Legal Team behind Rule Scanner are proud recipients of ALM Law.com’s coveted “2024 Disruptive Technology of the Year Award” and the “2025 Regulatory, Governance and Compliance Technology Award in 2025”.
If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via de_regcore@pwc.com or our website.
